A massive data leak containing personal information on 75% of Malta’s population has recently been revealed by an online monitoring service called Under the Breach.
The leak held a voter database that was in possession of a company called C-Planet IT Solutions. The leak contained personal information such as names, addresses and ID card details of more than 330,000 Maltese citizens.
The company in question is owned by Philip Farrugia, a former production director at the Labour Party media, One Productions. He is also the brother-in-law of Parliamentary Secretary for EU funds Stefan Zrinzo Azzopardi.
Following the revelations of the huge data breach, the company brushed off the seriousness of the leak as a ‘mishap’. It also said it would not be replying to any questions on the issue because the information in question was ‘old’.
A corporate lawyer who spoke with The Shift explained the argument that the data leaked was ‘old’ was irrelevant. The General Data Protection Regulation (GDPR) states data controllers are obliged to keep personal data up-to-date.
Article 5 of the GDPR also states data should not be kept for longer than necessary. It has been reported that the data which was leaked in this case goes back to before the 2013 elections.
The other reason why, in this case, the ‘old’ data argument does not make sense is that the information leaked includes items such ID card details which are never changed. “Under GDPR, the age of the data does not affect the severity of the breach,” the lawyer explained.
C-Planet IT solutions issued a statement saying that upon knowledge of the breach, it immediately alerted the authorities. It then said that no further information would be given as it might ‘hinder ongoing investigations’ – on data that has been in the public domain for close to a year.
Besides basic information, the data which was leaked also held a section identifying the individuals as either Labour or Nationalist voters. The monitoring service that revealed the leak said that the data was available for everyone to access without the need for a password or identification.
The lawyer told The Shift that the fact that the data contained fields for political party leaning makes the leak even more serious.
The Data Protection Commissioner announced it will be launching an investigation into the matter. Its actions are limited and the government’s response to a previous data breach was weak and did not safeguard citizens’ rights.
The Shift had revealed a data leak from the Lands Authority, which left around 5,000 with exposed personal information which included ID cards, passports and signed applications. The data in question was compiled by the Labour Party in government.
When the Lands Authority data breach was revealed, the government was quick to downplay the seriousness of the issue saying that there was no confidential information leaked in the security flaw of the Authority’s website. The government’s reaction came even though evidence showed that the website in question had very weak to almost non-existent security measures.
To put salt on the wound, the Lands Authority announced that an investigation into the matter was being led by former One TV presenter Charlene Muscat. Muscat, who at the time was also Mayor of Imqabba and canvasser for Minister Owen Bonnici, was appointed as ‘independent chief audit officer’. The former TV presenter, who did not apply for the post and had no previous experience, was herself affected by the data breach.
Minister Ian Borg had refused to apologise for what was described by security experts as “massive incompetence and gross negligence” when he was asked about the issue in parliament. The Data Commissioner had fined the Authority 5,000 – effectively another fine on taxpayers.
Those affected by the data breach had every right to sue the government. In fact, the real deterrent which falls under the GDPR is that individuals are able to sue the data controller. Citizens were never informed of the breach and their rights, as required by law.
The individual involved in the massive data breach went on to a better job – handling data and information security at the Malta Financial Services Authority. One of the 2013 Labour Party’s young stars, Keith Mintoff was identified in a report tabled in parliament as being centrally involved in the data leak.
Repubblika calls for an investigation
Lobby group Repubblika has sent a letter to Acting Police Commissioner Carmelo Magri asking him to launch an investigation into the possible criminal use and collection of personal data.
Professor Vicki Ann Cremona from Repubblika said the facts mentioned in the media reports surrounding the massive data breach led to suspicions that this data collection could potentially constitute abuse.
“We ask you to take all the necessary measures to investigate the serious allegations, to collect and identify the potential criminal activity in question and to investigate the relation of the people involved with the political parties.”